Blog Index

Tuesday, October 28, 2008

Remote Desktop Cut and Paste does not work

Issue:

When using RDP you may not be able to cut and paste information between your local and remote sessions.

Cause:

The rdpclip.exe processing may not be running on the remote system. Alternatively, the clipboard chain may be incomplete.

Workaround:

Restart the rdpclip.exe process on the remote system.

More Information:
The following article has a good article on Clipboard chaining;

http://blogs.msdn.com/ts/archive/2006/11/16/why-does-my-shared-clipboard-not-work-part-1.aspx

Thursday, October 2, 2008

schtasks /v verbose option may not display expected results

Issue:
When you run "schtasks /query /s [SERVER] /v" on a Windows XP machine, the scheduled tasks utility may not list any tasks.

Symptoms:
The Windows XP schtasks.exe utility (5.1.2600.2180) does not return any output. Task execution does not appear to be impacted by this command line limitation.

Cause:
A scheduled task is configured with a command line exceeding 254 characters.

Executing the command "schtasks /query /s [SERVER]" without the verbose option returns the list of scheduled tasks, however, when the /v option is used to display the extended properties of the task no output is returned.

Workaround:
Use the Windows 2003 version of schtasks.exe (5.2.3790.0) returns task information, although tasks with command lines exceed 254 characters are truncated.

Alternatively, use Windows explorer to view the task information.

Thursday, June 26, 2008

Preventing items from being added to the MFU list

The old addage of "Prevention is better than cure" I have found to be true with relation to removing items from the Most Frequently Used (MFU) start menu list.

The following powershell script prevents the Windows Tour icon and Migration settings wizard from being added to the MFU list. Of course, this could be used to prevent any other number of items from being added to the MFU list.

<<<>>>

$TaskDesc = "Clear MFU List"
$AddRemoveApps_New = ";TourStart.exe;MigWiz.exe"
$AddRemoveApps = Get-ItemProperty HKLM:\Software\Microsoft\Windows\Currentversion\Explorer\FileAssociation
-name AddRemoveApps
Set-ItemProperty HKLM:\Software\Microsoft\Windows\Currentversion\Explorer\FileAssociation
-name AddRemoveApps -value $AddRemoveApps$AddRemoveApps_New


# Test to see if the Registry action succeeded
If ($?) {
Write-Host "Enabled $($TaskDesc)"

} Else {
Write-Host "Error:$($TaskDesc) $($Error[0])"

}

Frequently used programs not automatically added to the Start menu
http://support.microsoft.com/kb/q282066/

Wednesday, June 25, 2008

Preventing users from executing files using Software Restriction Policies

Traditionally I have used NTFS permissions to restrict access for standard user accounts to certain executable files.

Most notably is reg.exe, when providing a managed workstation (SOE) to prevent standard users from accessing the registry. When coupled with Group Policy to restrict access to registry editing tools (regedit) it is effective in preventing access.

One alternative I had overlooked until recently was Software Restriction Policies. These can be applied as per most policies at the local or Group Policy level.

Summary:
A user with full permissions to a directory can be blocked from executing files using the Software Restriction Policies.

Using the "Disallowed" Security level, prevents execution regardless of the NTFS permissions the user holds, using Unrestricted honours the user account NTFS permissions.

Example:
User has Full Control of the folder C:\Test

Create a New Path rule by running GPEdit.msc
Local Security Policy / Software Restriction Policies / Additional Rules (Same location for a GPO)
New Path Rule
Path: C:\Test
Security Level: Disallowed

When the user executes a file from the path, the system prevents execution of the file.

C:\test\notepad.exe
The system cannot execute the specified program.


This could be applied to the SOE reg.exe scenario outlined earlier.

Another use I can see for this is to have a "scripts / tools" directory that the system can execute from Using a local System scheduled task, but those pesky users can't.

The following Microsoft articles list there purported uses of the facility, but this is interesting if nothing else and provides another tool for SOE builds that I hadn't considered using before.


Other rules can be specified to identify software including

Hash. A cryptographic fingerprint of the file
Certificate. A software publisher certificate used to digitally sign a file
Path. The local or universal naming convention (UNC) path of where the file is stored
See also "Registry Paths" as outlined in the reference documents.
Zone. Internet Zone

Using Software Restriction Policies to Protect Against Unauthorized Software

http://technet.microsoft.com/en-us/library/bb457006(TechNet.10).aspx

How Software Restriction Policies Work
http://technet2.microsoft.com/windowsserver/en/library/d24bc8c8-27cc-47ba-9b02-78d9d801e9371033.mspx?mfr=true

Thursday, June 12, 2008

SysPrep may not perform FullUnattend as expected

Issue:

When you supply a SysPrep answer file, SysPrep may not process the answer file as you expect. The Mini-Setup wizard stops processing and requests user input.

Cause:

One cause of this may be the use of comments within the SysPrep file. Sysprep.inf comments are denoted by the semi-colon (;) character. When a comment character is included on a line in the Sysprep.inf file, the complete line is omitted from processing.

Workaround:

Move the comment to a separate line of its own.

Example:

AutoMode=PerSeat ; Licensing Mode usually perseat

change the line as follows;

; Licensing Mode usually perseat
AutoMode=PerSeat

Wednesday, June 4, 2008

GPResult.exe may not complete Group policy report

Issue:
When you run "gpresult.exe /z" on a Windows XP machine, the RSOP may not complete processing.

Symptoms:
The GPResult.exe output is incomplete.

Cause:
A GPO contains the percent ("%") sign character. When the GPResult.exe encounters a % sign in the Group Policy Object, processing is terminated. The version of GPResult.exe with this issue is 5.1.2600.2180.

Typically, the % character may have been used in a Group Policy Computer startup/shutdown script or User Logon/Logoff script, to reference a local environment variable such as %SystemDrive%.

Workaround:
Use the Windows 2003 version of GPResult.exe, this tool is able to parse the % character successfully and completes the RSOP report. Version 5.2.3790.1830 or later of the GPResult.exe tool successfully parses the % character.

Alternatively, the GPMC console is able to generate the RSOP report successfully.

Tuesday, May 27, 2008

Powershell WMI one-liners

The PowerShell WMI capability is quite advanced and provides a vast scope for processing a returned recordset easily and effectively.

Here are just three types of Powershell WMI calls using different namespaces.

Return details about a service
get-wmiobject win32_service -filter "name='alerter'"

Return a users first name from Active Directory
(Get-WmiObject -namespace "root\directory\ldap" -class ds_user -filter "ds_Cn='[UserID]'").DS_givenname

Return details about a specified SMS package
Get-WmiObject -computer [SMSServer] -namespace root\sms\site_[SiteCode] -Query "SELECT * FROM SMS_Package WHERE PackageID='[PackageID]'"

Installing device drivers without the device being present

Having completed a number of SOE unattended installations, I have had reason to be able to install device drivers without the device being present. Attempts to install drivers without the device present using well known driver installation tools such as devcon.exe and dpinst.exe, failed to load the device drivers.

During investigation of the process I reviewed the device installation log file, %SystemRoot%\setupapi.log. In hindsight, the log file is quite aptly named in that functions within the setupapi.dll are called to install devices during windows setup and driver installation programs. This was shown by log entries from the devcon and dpinst programs.

Searches for setupapi.dll eventually showed that the SetupCopyOEMInf function is used to install the devices. Which in turn led to Pyron's SetupCopyOEMInf.exe utility. Whilst the utility is fantastic and performs device installation flawlessly, I was after something that could be manipulated if required.

Enter Powershell!

Utilising managed API calls, I was able to write a powershell script that calls the SetupCopyOEMInf function whilst maintaining the flexibility that scripting offers. Whilst by no means the right solution for everyone, this approach further demonstrates the capabilities of powershell.

In summary, the script installs the device drivers without the device being present.

During a standard user session, the device can be plugged in and the device drivers are loaded without prompting for Administrator credentials.



param(
[string] $DriverDir = $(throw "Please specify a directory of drivers to process")
)

$Scripts = Split-Path $Myinvocation.Mycommand.Path
# Copy a Driver to the OEM path (Install driver without the device being present)
#
#
# References
# http://monadblog.blogspot.com/2005/12/calling-win32-api-functions-through.html
# http://www.pinvoke.net/default.aspx/setupapi.SetupCopyOEMInf
#
# Set Error Handling
$ErrorActionPreference = "SilentlyContinue"
$Me = "SetupCopyOEMInf"
$provider = new-object Microsoft.VisualBasic.VBCodeProvider

$params = new-object System.CodeDom.Compiler.CompilerParameters
$params.GenerateInMemory = $True
$refs = "System.dll","Microsoft.VisualBasic.dll"
$params.ReferencedAssemblies.AddRange($refs)
# Find all the .inf files in the specified directory

$TaskDesc = "Locate INF Files"
$TempDir = Get-ChildItem $DriverDir -filter '*.inf' -recurse
If ($? -eq $False) {
Write-Host "Invalid directory $($DriverDir)"
Exit 1
}

$txtCode = @'
Class CopyOEMInf
Private Declare Function SetupCopyOEMInf Lib "setupapi.dll" Alias "SetupCopyOEMInfA" (ByVal SourceInfFileName As String, ByVal OEMSourceMediaLocation As String, ByVal OEMSourceMediaType As Long, ByVal CopyStyle As Long, ByVal DestinationInfFileName As String, ByVal DestinationInfFileNameSize As Long, ByRef RequiredSize As Long, ByVal DestinationInfFileNameComponent As String) As Long

Public Function Main(ByVal sInf As String, ByVal sDir As String) As Long
Const SP_COPY_NEWER As Integer = &H4
Dim lngResult As Long

Dim ret2 As String
Dim ret3 As String

' Install the driver'
lngResult = SetupCopyOEMInf(sInf, sDir, 1, SP_COPY_NEWER, ret2, 255, 255, ret3)
Return(lngResult)
End Function
end class

'@

$cr = $provider.CompileAssemblyFromSource($params, $txtCode)
if ($cr.Errors.Count) {
$codeLines = $txtCode.Split("`n");

foreach ($ce in $cr.Errors) {
Write-Host "Code compilation error, line $($ce.Line - 1)"
write-host "Error: $($codeLines[$($ce.Line - 1)])"
write-host $ce
}
Throw "INVALID DATA: Errors encountered while compiling code"
}

$mAssembly = $cr.CompiledAssembly

$i = $mAssembly.CreateInstance("CopyOEMInf")
# Process each inf file found


$TempDir ¦ foreach {
Write-Host "Installing Driver $($_.Get_FullName().ToString())"

$r = $i.Main($_.Get_FullName().ToString(), $_.Get_Directory().ToString())
}



References
Troubleshooting Device Installation with the SetupAPI Log File
http://www.microsoft.com/whdc/driver/install/setupapilog.mspx
Pyron setupcopyoeminf
http://www.msfn.org/board/Unlimited-number-of-drivers-keeping-th-t43795.html&p=303959#entry303959

http://waynes-world-it.blogspot.com/
Thanks goes to Wayne for introducing the concept and code snippets for compiling managed code from unmanaged scripts.

Friday, May 23, 2008

Effective permissions may be reported incorrectly

Scenario

Using a Domain member computer, the "Advanced / Effective Permissions"
tab is used to evaluate permissions for specific user on a folder.

In this example,
\\[Server]\[Share]\[Folder] and the user specified is a member of the local Administrators group on the Domain Member computer. The "effective permissions"
tab reports that the user holds Full Control for the folder.

Cause
Member computers of a domain are only able to perform group expansion for Built-in groups locally. Thus when the account context is evaluated the Built-In\Administrators membership is returned.

Universally, the SID for Builtin\Administrators is S-1-5-32-544, which cannot be distinguished between the local computer group membership and local server group membership by the "Effective Permissions" tab.

More Information
Permissions for user accounts that are not members of the local computer Administrators group are not affected by this issue.

This issue does not occur if the computer used to evaluate permissions is a domain controller or the server hosting the resource.



Access control lists may report incorrect information in Windows Server
2003
http://support.microsoft.com/kb/884049

MDT 2008 Storage Drivers - 0x0000007B error

I have been testing the MDT 2008 capability to automatically insert mass storage drivers into the unattend.txt and sysprep.inf, and have found that the implementation of the feature does not appear to be working as expected.

The two scripts ZTIStorageDrivers.wsf and ZTIStorageDriversSysprep.wsf seem to enumerate the driver database correctly and make modifications to the appropriate unttend build file (unattend.txt / sysprep.inf), but upon reboot the workstation fails with the 0x0000007B error.

After a number of attempts to get the feature to work it was evident that something was fundamentally wrong with the process. A google search for ZTIStorageDrivers.wsf uncovered a blog post by Michael Niehaus, who is reportedly involved with the MS deployment team.

After following the tip for including the HDC class into the ZTIStorageDriversSysprep.wsf script, the script failed with the same error (32811) as the blog respondent received.

It would seem that until Microsoft release a fix for the bug, we should continue with the practice of hand-crafting the txtsetup.oem / sysprep.inf files.

Once a working hot fix is released I see great benefit in adopting the mechanism to reduce the turnaround time in delivering support for new hardware with new mass storage drivers.


https://blogs.technet.com/mniehaus/archive/2008/05/20/different-types-of-mass-storage-drivers.aspx

Monday, May 19, 2008

NVIDIA Screen resolution resets

Issue

Each time a user without administrative privileges logs on to a workstation the screen resolution is set to the maximum capable resolution.

Cause

The NVIDIA Display Driver Service (NVSvc) inserts the "NvCplDaemon" run key in the machine startup Run key.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The key executes the command "RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup",
which is responsible for setting the screen resolution to the highest capable resolution.

Workaround

Disable the NVIDIA Display Driver service and remove the run key.
This may be achieved from the command line with the following commands;

Sc
\\[ComputerName] config NVSvc startup= disabled
Reg delete \\[ComputerName]\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v NvCplDaemon

Thursday, May 15, 2008

Mandatory ZTI advertisement does not run

When a workstation is built using OSD, the SMS Package and Program are flagged as being executed on the SMS client. This prevents any future mandatory ZTI advertisements from executing. Thus when an automated Computer refresh is undertaken, the refresh may not run.

This workaround specifically relates to ZTI deployments, however, the principals would apply to an SMS Advertisement that requires re-running without modification of the client Execution History.

Cause:
The SMS Client flags the Package and Program has having been previously executed and checks the following registry location when a request to run the Package is received.

HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\[PackageID]\[ExecutionGUID]


If an entry exists for the Package and Program, a message is logged in the ExecMgr.log file, stating that the program cannot be run as it is prevented by policy.


Microsoft reports this as behaviour by design.

Workaround:

Add a second Mandatory Assignment for the actual desired deployment time. This triggers the client to execute the SMS recurring advertisement code and re-runs the advertisement.

To automate a ZTI deployment, I created a new advertisement, added a dummy mandatory assignment time, then a second mandatory assignment for the desired deployment time.

Notes:

With regards to what I have referred to as the ExecutionGUID, I have been unable to find a definitive description of what this part of the registry key entails. So I put forth my description of the entry.


It appears to be a dynamically generated GUID for a unique representation of this execution of the Package/Program on an individual client. This is contrary to Microsoft's description in KB829853 which suggests it is related to the program.

My investigations and testing this showed that the GUID was indeed different for the same Package / Program on different clients.

Checks of the program GUID using the SMS Console "Node Information" tab, with the /sms:nodeinfo=1 switch enabled, showed the Program to have a different GUID to the one listed in the aforementioned registry location.


SMS: Client Does Not Run New Advertisement of the Same Package and Program
http://support.microsoft.com/kb/257271

Advertisements are run again if you upgrade a Systems Management Server 2.0 client to a Systems Management Server 2003 advanced client
http://support.microsoft.com/kb/829853

Wednesday, May 14, 2008

You receive message "Please wait while the domain list is created" when changing the "Log on to" field

Issue
You receive message "Please wait while the domain list is created" when changing the "Log on to" field.

Cause
This message can occur when Sysprep is run on a machine, and a new name is entered for the machine.

The registry contains the DefaultDomainName and AltDefaultDomainName registry keys with the AltDefaultDomainName field containing the value of the old machine name.

When the "Log on to" field is modified Windows attempts to verify the domain as listed in the AltDefaultDomainName field.

Scenario
A machine is built with the name "Workstation1"

During the Sysprep mini-setup wizard a different name is entered for the workstation, "Workstation2".

The value of HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v AltDefaultDomainName is still set to the original workstation, "Workstation1".

Workaround
Enter CTL+ALT+DEL again to remove the message and enter your credentials and logon to the workstation or domain.
This sets the AltDefaultDomainName to the logged on domain.

Wednesday, May 7, 2008

Decrypt / Encrypt string in ROT-13

' Converts a string from ROT13
Const Alpha_Upper = "abcdefghijklm" ' First 13 letters

Const Alpha_Lower = "nopqrstuvwxyz" ' Second 13 letters
Dim aAlpha, aStringDim iDim sROT13, sFullROT13


aAlpha = Split(Alpha, ",")
sString = Wscript.Arguments(0)


For i = 1 to Len(sString)
  iPos = InStr(Alpha_Upper, LCase(Mid(sString, i, 1)))
  If iPos > 0 Then ' Found in upper so return corresponding lower character
    sROT13 = Mid(Alpha_Lower, iPos, 1)
  Else
    iPos = InStr(Alpha_Lower, LCase(Mid(sString, i, 1)))
    If iPos > 0 Then
      sROT13 = Mid(Alpha_Upper, iPos, 1)
    Else
      sROT13 = Mid(sString, i, 1) ' Not an alphabetic character, so just return the supplied character
    End If
  End If

  sFullRot13 = sFullRot13 & sROT13
Next

Wscript.Echo sFullROT13

Understanding the Most Frequently Used (MFU) registry key

Have you ever wondered what the gibberish in the MFU key is? These are the items that get populated dynamically in the start menu when you click on an item.

Analysing the key shows some not so obvious items. They are in fact filepath / filename pairs to the files initiated from the start menu.

For some reason Microsoft felt the need to encrypt the entries, presumably from prying eyes. The question I am unable to answer is why?

Anyway the encryption MS chose is a rather simple key substition named ROT-13. Simply, if the alphabet is number 1-26 with A =1, take a character and add 13 to it. For letters toward the end of the alphabet add up to 26, then start at 1.

With scripting this I used an alternate method that was easier to code, see my reference at the bottom of this post for the decrypt rot-13 script.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{7504
8700-EF1F-11D0-9888-006097DEACF9}\count

HRZR_PGYFRFFVBA REG_BINARY C124430E01000000
HRZR_PGYPHNPbhag:pgbe REG_BINARY
01000000020000000000000000000000
HRZR_EHAPCY REG_BINARY 0100000006000000A04C12589864C801
HRZR_EHAPCY:qrfx.pcy REG_BINARY
0100000006000000A04C12589864C801
HRZR_EHACNGU REG_BINARY 010000001300000020E6A157DE66C801
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zzp.rkr REG_BINARY
0100000006000000405D7EF5CC66C801
HRZR_EHACNGU:Q:\frghc.rkr REG_BINARY
010000000600000080794A9ACD66C801
HRZR_EHACVQY REG_BINARY 010000000D00000080DE7657DE66C801
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfugn.rkr REG_BINARY
01000000060000001076BCA0D266C801
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\gbhefgneg.rkr REG_BINARY
01000000000000000000000000000000
HRZR_EHACNGU:P:\Cebtenz Svyrf\Jvaqbjf Zrqvn Cynlre\jzcynlre.rkr
REG_BINARY 01000000000000000000000000000000
HRZR_EHACNGU:P:\JVAQBJF\rkcybere.rkr REG_BINARY
0100000006000000C0E3DCDDD466C801
HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\vrkcyber.rkr
REG_BINARY 010000000A00000000B43246DE66C801
HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0} REG_BINARY
010000000800000080EF4239DE66C801
HRZR_EHACVQY:%pfvqy2%\Vagrearg Rkcybere.yax REG_BINARY
010000000600000030A11F46DE66C801
HRZR_EHACVQY:%pfvqy2%\Nqbor Ernqre 8.yax REG_BINARY
010000000600000080DE7657DE66C801
HRZR_EHACNGU:P:\Cebtenz Svyrf\Nqbor\Ernqre 8.0\Ernqre\NpebEq32.rkr
REG_BINARY 010000000600000020E6A157DE66C801
HRZR_EHACNGU:{NP76ON86-7NQ7-1033-7O44-N81000000003} REG_BINARY
010000000600000020E6A157DE66C801


Decrypted

ueme_ctlsession
ueme_ctlcuacount:ctor
ueme_runcpl ert_ovanel
ueme_runcpl:desk.cpl
ueme_runpath
ueme_runpath:c:\windows\system32\mmc.exe
ueme_runpath:d:\setup.exe
ueme_runpidl
ueme_runpath:c:\windows\system32\mshta.exe
ueme_runpath:c:\windows\system32\tourstart.exe
ueme_runpath:c:\program files\windows media player\wmplayer.exe ueme_runpath:c:\windows\explorer.exe
ueme_runpath:c:\program files\internet explorer\iexplore.exe

ueme_runpidl:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}
ueme_runpidl:%csidl2%\internet explorer.lnk ueme_runpidl:%csidl2%\adobe reader 8.lnk ueme_runpath:c:\program files\adobe\reader 8.0\reader\acrord32.exe

ueme_runpath:{ac76ba86-7ad7-1033-7b44-a81000000003}

Decrypt / Encrypt string using ROT-13 Encryption
http://cmb-it.blogspot.com/2008/05/decrypt-encrypt-string-in-rot-13.html

Friday, May 2, 2008

Windows XP reboots during setup

Issue:
During an unattended setup of Windows XP, the system reboots at T-30 when configuring the network.

Cause:
One cause of this issue is that a duplicate name exists on the network.

Resolution:
Remove the name conflict by either shutting down the existing computer or renaming the computer you are performing an unattended build on.

Tuesday, April 29, 2008

Access a Network Resource Alias using Computer Account

Using a centralised Windows source location, we received "Access Denied", whilst trying to access the network resource using the "System" computer account context.

The SMS package was running in the system account context and attempting to access a network resource using an Alias (CName) record.

Example: \\ALIASNAME\Share

Issue:

A process running as the local system reports "Access Denied" when trying to access an alias network resource.


Access using an interactive account is successful as the "DisableStrictNameChecking" registry modification has been applied to the machine hosting the network resource.

Resolution:

Register the SPN for the alias name.

setspn -A HOST/ALIASNAME.domain.com SERVERNAME


Registering ServicePrincipalNames for
CN=SERVERNAME,DC=domain,DC=com
HOST/ALIASNAME.domain.com

Updated object

The workstation accessing the resource may need to be restarted in order for access using the new SPN to be successful, with the reboot requirement possibly due to caching of the SPN entries. Alternatively, the computer account tickets may be purged.

The Windows Support tool, klist.exe may be used to view the list of tickets that the computer has been granted.
Usage;

klist tickets

Further Information:

By default, when accessing resources in a Windows 2000 or later environment, Kerberos is the preferred authentication method and if unsuccessful the authentication falls back to NTLM.

As part of the Kerberos authentication, the user (in this case the computer account) is unable to receive a valid service ticket for the resource hosted on the alias computer.
Accessing the same resource using the actual host name
\\ServerName\Share is successful as the Kerberos AS is able to locate a registered service principal name (SPN) for the service. Once located, the requesting user is granted a valid service ticket for the machine hosting the resource.

In the case of the computer accessing the resource using the alias, the computer supplies an unknown SPN (ALIASNAME) during Kerberos authentication, from which Kerberos authentication subsequently fails.

Authentication then falls back to NTLM, which also fails for the process running in the computer account context.
Connections to network resources using the computer account are established using a Null session with no credentials manifesting in the "Anonymous Logon" context.
The use of "Anonymous Logon" results in Access Denied. Whilst it is possible to configure the server to allow Anonymous Logons the security of the system is considerably weakened.

Refer to the "Local Service account" section in the "Service account permissions" article for information on Null Session and accessing Network resources.

Thanks goes to
http://waynes-world-it.blogspot.com/ for his assistance.

Alias management


A collegeague asked what would happen if the DNS alias was changed to point to a different host?

Well of course we both knew that it wouldn't work properly, but the real question was about finding out the detail and how an Administrator would work out that the SPN also required changing.

As expected if the DNS alias is modified to point to a different host, the following error is returned when accessing the share.

Logon Failed: The target account name is incorrect.

As I implemented the SPN it was obvious enough that the SPN needed to be modified, however, for someone that didn't implement the SPN, it would be understandable that it may take a bit of finding...

A dump of the tickets information showed that a valid ticket had been granted for the ALIASNAME.domain.com which may not be enough to jog the memory of the administrator.

The following DSQuery command shows the host that holds the SPN associated with the alias name.

dsquery * domainroot -limit 0 -filter "(&(objectCategory=Computer)(servicePrincipalName=*ALIASNAME*))" -attr cn


The output verified that the incorrect host was holding the SPN for the Alias, and using the SetSPN command the Service Principal Name can be correctly added to the correct host.

References:

Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx
Users experience authentication issues when they access a Web page in IIS 6.0 or query Microsoft SQL Server 2000 after you install Windows Server 2003 Service Pack 1
http://support.microsoft.com/kb/887993
Kerberos is not used when you connect to SMB shares by using IP address
http://support.microsoft.com/kb/322979
Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003
http://support.microsoft.com/kb/837361
Kerberos Authentication Tools and Settings http://technet2.microsoft.com/windowsserver/en/library/b36b8071-3cc5-46f
a-be13-280aa43f2fd21033.mspx?mfr=true
Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
http://support.microsoft.com/kb/281308
Overview of Server Message Block signing
http://support.microsoft.com/kb/887429
Windows Authentication
http://technet2.microsoft.com/windowsserver2008/en/library/f3cd26b1-a948
-46b7-a8ee-f2fde84f93f81033.mspx?mfr=true
NTLM user authentication in Windows
http://support.microsoft.com/kb/102716
MSV1_0_LM20_LOGON Structure
http://msdn2.microsoft.com/en-us/library/aa378762(VS.85).aspx
PRB: Access Denied When Opening a Named Pipe from a Service
http://support.microsoft.com/kb/126645
Service Running as System Account Fails Accessing Network http://support.microsoft.com/kb/124184/
Service account permissions
http://technet2.microsoft.com/windowsserver/en/library/a958b9d2-3ec1-4ab
0-9f9f-7cb396605f3e1033.mspx?mfr=true

Monday, April 28, 2008

ZTI DefaultDomainName setting lost

During a ZTI based deployment we received intermittent reports of computers with the default domain name being set to the workstation instead of the domain it had joined.

Steps to reproduce the problem.

Set DefaultDomainName to the same name as the domain the computer is joined with mis-matching case.

Click the Drop-down box on the CTL+ALT+DEL screen, the logon box will change the Default Domain to be the workstation.

Cause:
When the DefaultDomainName is set to a name not matching the NetBIOS domain name, the workstation sets the Default domain name to the workstation.
This includes names that do not match case.


A custom script set the
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName" registry field but stored the domain name in lower case.


Resolution:
Modify the custom script to extract the domain from WMI.


"Select DomainName from Win32_NTDomain Where NOT DnsForestName IS NULL"

ZTITattoo.wsf - OSD clears TaskSequence registry entries

During OSD of a custom image the ZTITatoo.wsf script clears the TaskSequenceVersion, TaskSequenceName and TaskSequenceID fields.

Line 131 of ZTITatoo.wsf refers to a registry write action for when an LTI deployment is running.
Line 140 performs the corresponding update for OSD only if a OSD deployment is running.

The contents of TaskSequence* registry fields are pertinent to an OSD deployment as they provide information as to which WIM and Deployment task sequence are utilised.

I would contend that the ZTITatoo.wsf script would be better served having a conditional execution around the update of the LTI TaskSequence* fields.

Something like the following (Line 127);

'//----------------------------------------------------------------------------
'// If this is Lite Touch, populate the task sequence details
'//----------------------------------------------------------------------------
If oEnvironment.Item("OSDPACKAGEID") = "" then
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\BDD 2007\Task Sequence ID", oEnvironment.Item("TaskSequenceID"), "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\BDD 2007\Task Sequence Name", oEnvironment.Item("TaskSequenceName"), "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\BDD 2007\Task Sequence Version", oEnvironment.Item("TaskSequenceVersion"), "REG_SZ"
End If


PowerShell appears to "hang" when executed from a console application

When executing Powershell from within PSExec or VBScript .exec method, powershell appears to hang.

In summary, Powershell doesn’t play nice with console applications.

From what I can gather it maintains a separate footprint for its console streams and therefore, any console based applications relying on STDOUT, STDERR, STDIN manipulation do not operate as expected.

To reproduce using PSExec.exe;

Test.ps1
Write-Output “HELLO”

Psexec –s c:\windows\system32\windowspowershell\v1.0\powershell.exe C:\Test.ps1

Hit CTRL-C and the script outputs “HELLO” as expected.


This suggests that the streams are only returned to the calling console when the script exits.

Wednesday, April 23, 2008

Need to move the Microsoft Deployment Distribution (BDD) file location?

Recently, I needed to move the contents of the LAB deployment point in Microsoft Deployment Toolkit (MDT) to a different location on the filesystem.

As it turns out, this was quite simple.

Edit the Deploy.xml located in the MDT installation directory, by default this is located in %PROGRAMFILES%\Microsoft Deployment Toolkit\Control.

Just find the node in the Deploy.xml file and replace the old path with the new one. Once complete, modify the "Distribution_Dir" registry value to reflect the new path;

HKLM\Software\Microsoft\Deployment 4\
Value: Distribution_Dir
Type: REG_SZ
Data: [NewDistributionDirectoryPath]

Fix Broken Windows Scripting Host

Recently during an SMS application deployment we had an application installation remove the .vbs, .wsf and .js file associations.

I used the following command coupled with psexec.exe to restore functionality to the affected machines remotely.

Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\inf\Wsh.inf

Using this method restores the files associations for .wsh, .vbs, .vbe, .js, .jse, .wsf, .wsc and also ensures that all WSH files are installed. This is the same command that XP Setup uses to install WSH.

Tuesday, April 22, 2008

Set Location in "Regional and Language Options" control panel applet

Having done my share of unattended XP builds for various, invariably one of the items that I am asked is how to change the Country under the Location Tab found in the "Regional and Language options" Control Panel applet.

Originally, this took some finding as it is doesn't appear to be a supported entry for sysprep.inf or unattend.txt.

HKU\.Default\Control Panel\International\Geo
OR
HKCU\Control Panel\International\Geo
Value: Nation
Type: REG_SZ
Data: "12"

(0xC) 12 is the code for Australia.

Tip: To set this in an unattended build, set the HKU\.Default\Control Panel\International\GEO value, as SysPrep does not apply this setting to all users when the HKCU setting is configured.

A complete list of nation codes can be found at
http://msdn2.microsoft.com/en-us/library/ms776390(VS.85).aspx
GetGeoInfo
http://msdn2.microsoft.com/en-us/library/ms776300(VS.85).aspx

Dial up connections do not use LAN proxy settings

The default behaviour changed with Internet Explorer 5 and later, in that each connection has unique proxy settings.

Resolution:
A hotfix is available from Microsoft, see the KB reference. After installing the hotfix, the following registry key can be added per user or per machine.

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
OR
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
DialupUseLanSettings REG_DWORD [01]

http://support.microsoft.com/?kbid=818060

Thursday, April 17, 2008

Ever needed an Automated RunAs?

I went down this path for a Microsoft Deployment Toolkit (BDD) SOE build, as it was running in the wrong context for inserting details into a SQL database (computers and members of an Active Directory Group had access but the local administrator account didn't).

This powershell script accepts a number of arguments and then launches the process as the specified user;

Usage:
Start-RunAs.ps1 process Path [Arguments] [Domain] [User] [Password]

Examples;

Start-RunAs.ps1 "notepad.exe" "$($Env:SystemRoot)\System32"
Start-RunAs.ps1 "notepad.exe" "$($Env:SystemRoot)\System32" "" "domain"
"user"
Start-RunAs.ps1 "notepad.exe" "$($Env:SystemRoot)\System32" ""
"password" "user" "password"



The script could do with some tidying up for day to day use, but you get the idea...


Whilst I have some misgivings about the security of the "SecureString" it may be useful for some user's who wish to run their shell using Principle of Least Privilege...

Probably most notably though was the exercise and the way the PSH team decided to implement the SecureString concept.

It doesn't seem too secure, but as the PSH team offer, it wasn't meant to be, after all the owner of the process (interactive user) already knows the password they just typed in.


The following Powershell code snippet suggests that the password entry is secure. However, in the current session, the password can be found.

$PWD = Read-Host "Enter your password" -assecurestring[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServi
ces.Marshal]::SecureStringToBSTR($PWD))


Running the above commands results in;
Enter your password:: ****
System.Security.SecureString
Test


Still from the angle of security by obscurity, it would stop most prying eyes.


A simpler Runas I hear you ask?

$psi = New-Object System.Diagnostics.ProcessStartInfo "notepad.exe"
$psi.Verb = "runas"
[System.Diagnostics.Process]::Start($psi)

This launches the RunAs GUI, and then the process.

ConvertTo-SecureString
http://technet.microsoft.com/en-us/library/bb978707.aspx

http://www.leeholmes.com/blog/PowerShellCredentialsAndGetNetworkCredential.aspx

Windows PowerShell Securing the Shell
http://technet.microsoft.com/en-us/magazine/cc137808.aspx


param( [string] $FileName = $(throw "Please specify a filename to execute"),
[string] $FilePath = $(throw "Please specify a path to the filename"),
[string] $Arguments,
[string] $UserDomain,
[string] $UserName,
[string] $UserPassword
)

$Scripts = Split-Path $Myinvocation.Mycommand.Path
# Start a specified process as a specific user (RunAs)
#Set Error Handling
$ErrorActionPreference = "SilentlyContinue"
$Me = "Start-RunAs"
# Ensure the supplied filename/path exists

$TaskDesc = "Verify FileName exists"
get-item $FilePath\$FileName
If ($? -eq $False) {
Write-Host " $($TaskDesc) $($Error[0])"
Exit 1
}
# When a username but no password has been supplied, request credentials from user

If ($UserName -ne "" -and $UserPassword -eq "") {
$TaskDesc = "Request User Credentials for $($UserName)"
$UserCred = Get-Credential "$($UserDomain)\$($UserName)"
If ($? -eq $True) {
$UserDomain = $UserCred.UserName.Split("\")[0]
$UserName = $UserCred.UserName.Split("\")[1]
$UserPassword = $UserCred.GetNetworkCredential().Password
} Else {
Write-Host " $($TaskDesc): $($Error[0])"
Exit 2
}
$UserPassword = $UserCred.GetNetworkCredential().Password
} Else {
# present a blank credentials window for the user to populate
$TaskDesc = "Request User Credentials"
$UserCred = Get-Credential
If ($? -eq $True) {
$UserDomain = $UserCred.UserName.Split("\")[0]
$UserName = $UserCred.UserName.Split("\")[1]
$UserPassword = $UserCred.GetNetworkCredential().Password
} Else {
Write-Host " $($TaskDesc): $($Error[0])"
Exit 2
}
}

# A local domain can also be specified
$DOMAINUSER = $UserName
$DOMAINUSERPASSWORD = $UserPassword
$DOMAINUSERDOMAIN = $UserDomain

$SleepInterval = 2

# Number of seconds to wait for process to exit
$psi = New-Object System.Diagnostics.ProcessStartInfo "$($FileName)"
# Configure other process execution parameters
$psi.UseShellExecute = $False

$psi.UserName = $DOMAINUSER
$psi.Password = ConvertTo-SecureString "$($DOMAINUSERPASSWORD)" -AsPlainText -Force
$psi.Domain = $DOMAINUSERDOMAIN
$psi.WorkingDirectory = $FilePath
# $psi.WindowStyle = "Hidden"
$psi.Arguments = $Arguments

$TaskDesc = "Execute process;

"Write-Host "$($TaskDesc)"
Write-Host "$($psi.WorkingDirectory)\$($psi.FileName) $($psi.Arguments) as user $($psi.Domain)\$($psi.UserName)"
$ProcessStart = [System.Diagnostics.Process]::Start($psi)

If ($?) {
While ($ProcessStart.HasExited -ne $TRUE) {
Start-Sleep -s $SleepInterval
}
$ProcessStart.HasExited
} Else {
Write-Host "$($TaskDesc) failed, $($Error[0])"
}

LTI deployment fails with error "A connection to the deployment share (\\Server\Share$) could not be made. The deployment will not proceed."

A connection to the deployment share (\\Server\Share$) could not be made. The deployment will not proceed.

Cause:
A previous build did not complete correctly.

Resolution:
Remove the MDT specific components.

rd c:\minint /s/q
rd c:\_SMSTaskSequence /s/q (if exists)
del x:\Deploy\Tools\x86\TS.xml (if exists)

Run X:\Deploy\Scripts\LiteTouch.wsf (or reboot computer from the MDT Deployment CD)

ZTI PreInstall phase fails with error 214700057

Also the BDD.log file may contain the error
"Unable to get WinNT ADSI provider: (-2147221020)".

Cause:
One cause of this error is that a network location was used for the WinPE source files when running the "Update PE" wizard in SMS.

Resolution:
Extract the "Generic_OSD_x86.iso" to a local directory that is hosting the SMS console and select this location for the WinPE source files when executing the "Update PE" wizard.

ZTI Package update leaves .$M$ file(s)

When updating the Operating System Package files in the SMS Console, you may find that the SMS source location is not updated correctly and some files in the SMS Source location with a .$M$ extension.

Symptoms:
A check of the SMS Source directory for the ZTI image shows files with the .$M$ extension. You may also see entries in the SMS Server logs \SMS\Logs\OSDImage.log file similar to the following;

Failed to get file attributes file://%5BSMSServer%5D/%5BSMSSource%5DZTI_Master_Image/CustomSettings.ini (80070002)

Cause:
The update process compares the existing file with the file from the Windows Deployment Server, in this case the source file has been removed, therefore, the process has no file to compare against. The final rename operation is then not completed. The update process copies new or updated files to the source directory with a temporary name (*.$M$).

Resolution:
Replace the removed file, or create a blank file of the same name. This allows the update process to compare the two files and successfully complete processing.

To permanently remove the file from the comparison process, configure the SMS OSD ZTI program, select the Advanced tab, Click the "ZTI - Validation" phase and remove the file from the file list.

Error creating ZTI CD when using local SMS Console

When running the SMS Admin console locally on your administrative workstation, the CD generated may be different from one generated on the SMS Server.

Depending on your configuration you may receive the error; "unable to load sql server oledb..."

Cause:
The files used to generate the CD locally typically reside in C:\SMSAdmin\OSD

Resolution:
Make sure that the files in your local C:\SMSAdmin\OSD directory have been syncronised with those on the SMS server, [SMSInstallDirectory]\OSD.
Of particular note are the osdshell.exe and OSDWinPE.wim files.

The OSDWinPE.wim contains the customised background that you specified in the Windows PE tab of the MS Deployment workbench.

Wednesday, April 16, 2008

Various WMIC commands

Find the Serial number of a computer
wmic /node:WSNAME1 path win32_computersystemproduct get identifyingnumber
wmic /node:WSNAME1 csproduct get identifyingnumber

Query Active Directory using WMI
WMIC /NAMESPACE:\\root\directory\ldap PATH ds_user WHERE ds_cn="user1" GET ds_department /VALUE

Issue:
WMIC returns error "Invalid Global Switch."
Cause:
This is caused by the computer name containing the "-" special character.
Workaround:
Enclose the computer name with double quotes.

Various DSQUERY commands

Find Hosts having a specified Service Principal Name
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Computer)(servicePrincipalName=*ALIASNAME*))" -attr cn

show intersite transports
dsquery * "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=test,DC=com"
dsquery * "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=test,DC=com" -attr cost cn description replInterval -q
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=test,DC=com" -attr cn Location SiteObject -qdsquery * forestroot -limit 500
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*server*))" -attr cn operatingSystem
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Group)(objectClass=Group)(cn=group*_suffix))" -attr member

Find disabled user accounts
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl=514))" -attr cn userAccountControl

Find user accounts that are not disabled
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(!userAccountControl=514))" -attr cn userAccountControl

Find user accounts that have password set to never expire
dsquery * "OU=UserOU,DC=test,dc=com" -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Find user with a givenName
dsquery * "OU=UserOU,DC=test,dc=com" -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(givenName=Jenny))" -attr cn GivenName

Disable accounts that have been stale for over 120 days and that have not already been disabled.
for /f "tokens=2 delims==," %i in ('dsquery user "OU=UserOU,DC=test,DC=com" -stalepwd 120') do @dsquery * "OU=UserOU,DC=test,DC=com" -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(cn=%i))" dsmod user -disabled yes

Find all users for an exchange server
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(msExchHomeServerName=*exch*))" -attr cn

Find users who have been granted the logon to computer right.
dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userWorkstations=*exch*))" -attr cn

LDAP query for email alias address
"dsquery * -s myexchangeserver domainroot -limit 0 -filter "(&(objectCategory=Group)(proxyAddresses=smtp*))" -attr adspath cn mail info distinguishedName

Find Service connection points
dsquery * domainroot -limit 0 -filter "(&(objectClass=serviceConnectionPoint)(keywords=RIS*))" -attr serviceDNSName

Find Service connection points excluding those in a particular site
dsquery * domainroot -limit 0 -filter "(&(objectClass=serviceConnectionPoint)(keywords=RIS*)(!keywords=Site:Site1))" -attr cn serviceDNSName

Check if computer deletion has replicated to all DC's
for /f "tokens=2 delims==," %i in ('dsquery server') do dsquery computer -name WSName1 -s %i

Lookup done by Roaming SMS client to determine site assignment.
dsquery * domainroot -limit 0 -filter "(&(ObjectClass=mSSMSSite)((mSSMSRoamingBoundaries=10.0.1.0)(mSSMSRoamingBoundaries=TST)))"


Find the Terminal Services profile path for all users in the domain

for /f "tokens=2 delims=,=" %i in ('dsquery user "DC=mydomain,DC=com,DC=au"') do @tsprof /q /domain:MYDOMAIN %i && echo .


To see more useful commands check out this url: http://waynes-world-it.blogspot.com/2008/03/useful-commands.html

Using ImageX to compress a WIM file after modification

When using ImageX to inject or remove files in a WIM file, it may be beneficial to compress the WIM.

Example; a BDD build containing the windows source files was around 1Gb.
After removing the files and without compression resulted in the same size file.

Using the /export function resulted in a reduction of the WIM file of around 400Mb.

imagex /export "c:\Test\003.wim" 1 "c:\Test\003_Compressed.wim" 003CDrive

When installing Windows XP on ESX you may receive stop 0x0000007b error

By default ESX uses LSILogic SCSI driver which is not on the ESX CD.

http://virtrix.blogspot.com/2007/09/vmware-installing-windows-xp-on-esx.html

Download and install the LSILogic SCSI driver for controller 'LSI20320-R' from www.lsilogic.com

VMWare Workstation - After WinPE deploy of sysprep image you receive a stop 0x0000007b error

Cause:

By default in VMWare Workstation 6, the SCSI adapter is configured to be present.

Workaround:
Close the Virtual Machine, and edit the .vmx file, changing the scsi0.present line from TRUE to FALSE

scsi0.present="FALSE"

Pre-Stage Computer resource record in SMS

Specifying the Computer name and MAC address provides a more accurate means of ensuring that the intended computer will assume the pre-staged SMS resource record.

The MAC address is optional, however, it increases the chance that the original physical computer will assume the new SMS Resource record.

Once the pre-staged record has been created, advertisements can be assigned to the record.
The advantage of this is that when the computer is built, it assumes the record and automatically receives the pre-configured advertisements.

See KB 307026 for list of elements checked during SMS client installation
http://support.microsoft.com/kb/307026

SMSResGen.dll is the SMS Resource Generator Object, which is included with the Active Directory/SMS Synchronization Tools. This tool is available from the Microsoft Web site at http://www.microsoft.com/smserver

VBScript Code for pre-staging a computer resource record in SMS

Const ADDPPROP_NONE = &H0
Const ADDPROP_GUID = &H2
Const ADDPROP_KEY = &H8
Const ADDPROP_NAME = &H44
'get the current GUID, if available
sComputer="TEST-WS1"
Set DDR=CreateObject("SMSResGen.SMSResGen.1")
DDR.DDRNew "System", "PrestageAgent", ""
' DDR.DDRAddString "SMS Unique Identifier", GUID, 64, ADDPROP_NAME
DDR.DDRAddString "Name", sComputer, 64, ADDPROP_NAMEDDR.DDRAddString "Netbios Name", sComputer, 64, ADDPROP_KEY
Dim IPAddress(3), IPSubnet(3), MACAddress(3)
IPAddress(0)=""
IPSubnet(0)=""
MACAddress(0)="00:0C:29:96:53:F2"
DDR.DDRAddStringArray "IP Addresses", Array(IPAddress(0),IPAddress(1)), 64, ADDPROP_ARRAY
DDR.DDRAddStringArray "MAC Addresses", Array(MACAddress(0),MACAddress(1)), 64, ADDPROP_ARRAY
DDR.DDRAddStringArray "IP Subnets", Array(IPSubnet(0),IPSubnet(1)), 64, ADDPROP_ARRAY
DDR.DDRWrite sComputer & ".DDR"
DDR.DDRSendtoSMS
Set FSO=CreateObject("Scripting.FileSystemObject")
'FSO.GetFile(sComputer & ".DDR").Delete

Windows Path issues may prevent Group Policy from applying correctly

Issue:
Even though the event log displays EventID 1704 "Security policy in the Group policy objects are applied successfully. ", group policy still has not applied successfully;

Resolution:
Check the Windows Path; it should contain at a minimum the following locations and be less than 1024 characters in length.

C:\Windows;C:\Windows\System32;C:\Windows\System32\WBEM

Hiding or Displaying Default Desktop icons

The default desktop icons can be hidden or displayed using the registry or Group policy. However, before they can be managed using Group Policy the icons must have the following registry keys present.

{20D04FE0-3AEA-1069-A2D8-08002B30309D} - My Computer
{450D8FBA-AD25-11D0-98A8-0800361B1103} - My Documents
{208D2C60-3AEA-1069-A2D7-08002B30309D} - My Network Places
{871C5380-42A0-1069-A2EA-08002B30309D} - Internet Explorer
{645FF040-5081-101B-9F08-00AA002F954E} - Recycle Bin

A DWORD value of 0 displays the icon, 1 hides the icon.
Setting this value in HKCU takes precedence over HKLM.

To hide the icons from the Start Menu add the Key and value to - \Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu To hide the icons from the Desktop add the Key and value to - \Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

ImportGPO.wsf may not import GPO's using a Migration Table on Windows Server 2003

The ImportGPO.wsf script doesn't correctly test for null values at Line 162.

Cause: Incorrect testing of null value on Line 162

Resolution: See KB911800
http://support.microsoft.com/kb/911800

Permissions for Moving a Computer Account

How to Grant Permission to Move Computer Accounts to a User or Group

http://support.microsoft.com/kb/818091

Summarising this article, the permissions you need to allocate to an account object for creating and moving (deleting!) computer accounts in the domain.

Create account in OU
Read access for OU's from the top-level domain, down the tree to the OU. Very Important
Create/Delete "Computer Objects"
Reset/Change Password for "Computer Objects"

Move account out of an OU (Delete!!)
As per Create
Write all properties this is the key permission that allows objects to be moved out of the OU